Concealed Position: local privilege escalation attack against Windows

by do son · August 31, 2021

Concealed Position

Concealed Position is a local privilege escalation attack against Windows using the concept of “Bring Your Own Vulnerability”. Specifically, Concealed Position (CP) uses the as designed package point and print logic in Windows that allows a low privilege user to stage and install printer drivers. CP specifically installs drivers with known vulnerabilities which are then exploited to escalate to SYSTEM. Concealed Position was first presented at DEF CON 29.

What exploits are available

Concealed Position offers four exploits – all with equally dumb names:

ACIDDAMAGE – CVE-2021-35449 – Lexmark Universal Print Driver LPE
RADIANTDAMAGE – CVE-2021-38085 – Canon TR150 Print Driver LPE
POISONDAMAGE – CVE-2019-19363 – Ricoh PCL6 Print Driver LPE
SLASHINGDAMAGE – CVE-2020-1300 – Windows Print Spooler LPE

The exploits are neat because, besides SLASHINGDAMAGE, they will continue working even after the issues are patched. The only mechanism Windows has to stop users from using old drivers is to revoke the driver’s certificate – something that is not(?) historically done.

How does it work?

Concealed Position has two parts. An evil printer and a client. The client reaches out to the server, grabs a driver, gets the driver stored in the driver store, installs the printer, and exploits the install process. Easy! In MSAPI speak, the attack goes something like this:

Step 1: Stage the driver in the driver store
client to server: GetPrinterDriver
server to client: Response with driver

Stage 2: Install the driver from the driver store
client: InstallPrinterDriverFromPackage

Stage 3: Add a local printer (exploitation stage)
client: Add printer

It is important to note that SLASHINGDAMAGE doesn’t actually work like that though. SLASHINGDAMAGE is an implementation of the evil printer attack described at DEFCON 28 (2020) and has long since been patched. I just so happen to enjoy the attack (it sparked the rest of this development) and figured I’d leave the exploit in my evil server… as confusing as that may be.